# use dehydrated to automatically generate and renew Let's Encrypt certificates for HAproxy

## Install

install `curl`:
```
apt install curl
```
download the dehydrated script to `/usr/local/bin`:
```
cd /usr/local/bin/
wget https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated
chmod +x dehydrated
```

## Configure HAproxy HTTP

we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. The beginning of your web frontend should look like:
```
frontend www
        bind *:80
		option forwardfor
		
        # Reroute certbot requests to certbot
        use_backend certbot if { path_beg /.well-known/acme-challenge/ }
		
		...
```
and also add a backend:
```
backend certbot
        server certbot localhost:8888
```

## Configure Certbot

We also want to configure Certbot so we can easily use it for creating/renewing certificates for HAproxy. Edit the file `/etc/letsencrypt/cli.ini` and add the lines:
```
standalone
# tls-sni challenge is deprecated
preferred-challenges = http
http-01-port = 8888
deploy-hook = /etc/letsencrypt/deploy-hook.sh
```
We also need to add the deploy hook script that we referenced in the config file, at `/etc/letsencrypt/deploy-hook.sh`. The contents of the script should be:
```
#!/bin/sh

mkdir -p /etc/haproxy/certs
base=$(basename $RENEWED_LINEAGE)
cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/haproxy/certs/$base.pem
#etckeeper commit "got new Let's Encrypt certificate for $base"
service haproxy reload
```
(Uncomment the `etckeeper` line if you are using etckeeper to store your configuration). And don't forget to make the script executable:
```
chmod +x /etc/letsencrypt/deploy-hook.sh
```

With this configuration, you should be able to run certbot to obtain a certificate. The cron job that is automatically set up when you install certbot will also work correctly with this configuration.

## Get Certificate

Run Certbot to get a certificate:
```
certbot certonly
```
After successfully acquiring a certificate, the deploy hook will automatically put the combined certificate in `/etc/haproxy/certs/` for you.

## Configure HAproxy HTTPs

Now that you have HTTPs working, you can configure HAproxy for HTTPs. The beginning of your web frontend should now look like:
```
frontend www
        bind *:80
        bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1
        option forwardfor
        http-request set-header X-Forwarded-Proto https if { ssl_fc }

        # Reroute letsencrypt requests to certbot
        use_backend certbot if { path_beg /.well-known/acme-challenge/ }

        # Reroute HTTP to HTTPs
        http-request redirect scheme https if !{ ssl_fc }
		
		...
```